Wireguard Site to Site, Tunnel Up, One Way LAN Traffic Only

Hi,

I have spent so many hours reading this forum, Googling, but to no avail.

I have a site-to-site Wireguard tunnel working.

One site can successfully ping the local router, the near end of the tunnel, the far end of the tunnel, the far router LAN address, and clients on the far LAN.

The other site can successfully ping the same sequence in reverse, including the remote router LAN address, but not any clients on the LAN.

I have tried every permutation of masquerading, but I can't get over that last hurdle.

I would welcome any suggestions - thank you!

OpenWrt Wireguard Site to Site1004×619 42.8 KB

Site: Home cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:9b96::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option ipaddr '192.168.1.2'
        list dns '192.168.1.5'

config interface 'wg_s2s_a'
        option proto 'wireguard'
        option private_key 'kGkGkGkGkGkGkGkGkGkGkGkGkGkGkGkG'
        option listen_port '51820'
        list addresses '10.0.0.1/32'

config wireguard_wg_s2s_a 's2s_vpn_site_workshop'
        option public_key 'yNyNyNyNyNyNyNyNyNyNyNyNyNyNyNyNyNyNyNyN'
        option preshared_key 'A5xA5xA5xA5xA5xA5xA5xA5xA5xA5xA5xA5xA5xA5x'
        option description 'Site Workshop, yyy.yyydns.net'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'xxx.dns.net'
        option endpoint_port '51820'
        list allowed_ips '192.168.10.0/24'
        list allowed_ips 'eeee:ffff:1541::/48'
        list allowed_ips '10.0.0.2/32'

Site: Home cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg_s2s_a'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

Site: Workshop cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'ffff:eeee:1541::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'
        option ipaddr '192.168.10.1'

config interface 'SmartyLTE'
        option proto 'modemmanager'
        option device '/sys/devices/platform/soc/3f980000.usb/usb1/1-1/1-1.2'
        option auth 'none'
        option iptype 'ipv4'

config interface 'wwan'
        option proto 'dhcp'
        option device 'wwan0'

config interface 'wg_s2s_b'
        option proto 'wireguard'
        option private_key 'cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC'
        option listen_port '51820'
        list addresses '10.0.0.2/32'

config wireguard_wg_s2s_b 's2s_vpn_site_home'
        option public_key 'sSsSsSsSsSsSsSsSsSsSsSsSsSsSsSsSsSsS'
        option preshared_key 'tTtTtTtTtTtTtTtTtTtTtTtTtTtTtTtTtTtT'
        option description 'Site Home, xxx.xxxdns.net'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'xxx.xxxdns.net'
        option endpoint_port '51820'
        list allowed_ips '192.168.1.0/24'
        list allowed_ips 'ffff:ffff:9b96::/48'
        list allowed_ips '10.0.0.1/32'

Site: Workshop cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'SmartyLTE'
        list network 'wwan'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg_s2s_b'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

Thanks again

The address on each VPN master interface should be a /24 so that a route to the other end of the tunnel is inherent.

Don't set masquerade on any vpn or lan zone. Masquerade must stay on the wan zones for IPv4 Internet acccess, that doesn't affect the VPN.

Just add the wireguard network on each end to the LAN firewall zone. Unless you have some need to limit the devices that can be accessed over the wireguard tunnel then there's no need to have a separate firewall zone.

Does the ISP router on the home network side provide the ability to set static routes?

Without static routes, it will be possible to connect from the workshop to your home, but not the other way around.

EDIT: for clarity, the connection I'm refering to is 192.168.1.5 > 192.168.10.5 will be possible, but the other way will not.

If static routes are not available on the ISP router, you'll need to enable masquerading on the wireguard router's lan firewall zone. Masquerading wshould be disabled on the wireguard zones

Yes that's a very good point-- the home ISP router needs a static route 192.168.10.0/24 via 192.168.1.2. Otherwise the home LAN does not know how to return packets it receives with a 192.168.10 source IP.

If you choose instead to masquerade packets as they leave the home wireguard router, connections from the workshop will appear to the home LAN to have come from 192.168.1.2, and it will be possible to return the traffic. But the home PC will not be able to originate a connection to the workshop, since it doesn't have a proper route to 192.168.10.0.

Exactly.

It's the ISP router that could be the limitation here.
There are workarounds, but they're not elegant or desirable.

Thanks for the suggestion mk24. I tried changing to a 24 bit mask but that didn't make any difference

And I tried various permutations of Masquerade but that still didn't work either - sorry

Thanks for the suggestions psherman

The ISP router is very basic, but compulsory. It has no ability to set routes

As the VPN gateway at home is behind the router, I have set persistent static routes on those windows and rpi clients on the home LAN that need to see/be seen by the other side.

This is a pain, but works, as those clients in 192.168.1 can ping and get replies from clients in 192.168.10

So that implies that the routing/firewall is good end-to-end from home(192.168.1) to workshop(192.168.10) starting from the home side

Over in the workshop, the rpi OpenWrt/Wireguard router is the default gateway, so I'm not adding any extra static routes

Those workshop clients, and in fact the workshop router itself, can all ping the far end(home end) of the Wireguard tunnel (10.0.0.1), so know to route traffic through the local default gateway towards the far side.

But there's no response from the LAN address for the far side (home) router (192.168.1.1) or any of the 192.168.1.x clients

So it feels like the traffic is stopping / being blocked / dropped / not being routed by the home Wireguard server (192.168.1.2)

I've tried enabling firewall logging, and examining logread, but can't find anything at all referencing this

If it helps at all, the routes are as follows:

Home

ip route show

default via 192.168.1.1 dev br-lan
10.0.0.0/24 dev wg_s2s_a scope link  src 10.0.0.1
10.0.0.2 dev wg_s2s_a scope link
10.0.0.3 dev wg_s2s_a scope link
92.40.197.221 via 192.168.1.1 dev br-lan
192.168.1.0/24 dev br-lan scope link  src 192.168.1.2
192.168.10.0/24 dev wg_s2s_a scope link

Workshop

ip route show

default via 10.19.114.22 dev wwan0  src 10.19.114.21
10.0.0.1 dev wg_s2s_b scope link
10.0.0.3 dev wg_s2s_b scope link
10.19.114.20/30 dev wwan0 scope link  src 10.19.114.21
[public ip redacted] via 10.19.114.22 dev wwan0
192.168.1.0/24 dev wg_s2s_b scope link
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1

After all that Googling, I'm still no closer to being able to find tests / evidence which will help identify whether this is a routing issue or a firewall issue

Any pointers to links where I can RTFM on this point would be very welcome

Thanks again

This was precisely the inelegant, but functional solution I was thinking about as a workaround. The fact that the individual hosts need static routes (since the ISP router doesn't support user-added routes) means that there is extra friction in the setup. If anything changes in your network topology, you may have to reconfigure those routes. And only devices that have the ability to add additoinal routes can participate in this... good luck getting static routes into some random IoT device.

Check the local firewalls to make sure they will accept connections from different subnets. Windows, by default, blocks inbound connections from any other subnets.

Also, on the home side, I think you actually want 2 static routes into those hosts to ensure that anything that comes from the tunnel/routers itself can be returned...
192.168.10.0/24 via 192.168.1.2
10.0.0.0/24 via 192.168.1.2

I'd recommend making this a /24 (10.0.0.1/24)